World’s first (known) bootkit for OS X can permanently backdoor Macs

Securing Macs against stealthy malware infections could get more complicated thanks to a new proof-of-concept exploit that allows attackers with brief physical access to covertly replace the firmware of most machines built since 2011.

Once installed, the bootkit—that is, malware that replaces the firmware that is normally used to boot Macs—can control the system from the very first instruction. That allows the malware to bypass firmware passwords, passwords users enter to decrypt hard drives and to preinstall backdoors in the operating system before it starts running. Because it's independent of the operating system and hard drive, it will survive both reformatting and OS reinstallation. And since it replaces the digital signature Apple uses to ensure only authorized firmware runs on Macs, there are few viable ways to disinfect infected boot systems. The proof-of-concept is the first of its kind on the OS X platform. While there are no known instances of bootkits for OS X in the wild, there is currently no way to detect them, either.

The malware has been dubbed Thunderstrike, because it spreads through maliciously modified peripheral devices that connect to a Mac's Thunderbolt interface. When plugged into a Mac that's in the process of booting up, the device injects what's known as an Option ROM into the extensible firmware interface (EFI), the firmware responsible for starting a Mac's system management mode and enabling other low-level functions before loading the OS. The Option ROM replaces the RSA encryption key Macs use to ensure only authorized firmware is installed. From there, the Thunderbolt device can install malicious firmware that can't easily be removed by anyone who doesn't have the new key.

Read 9 remaining paragraphs | Comments

FBI Director says Sony hackers “got sloppy,” exposed North Korea connection [Updated]

In a speech at the International Conference on Cyber Security (ICCS) today in New York, FBI Director James Comey reiterated the bureau's confidence that North Korea was involved in the cyber attack on Sony Pictures Entertainment. "There's not much I have high confidence about," Comey said, as reported by the FBI New York field office's official Twitter feed. "I have very high confidence... on North Korea." And he downplayed suggestions by outsiders that others might be responsible, saying that critics “don’t have the facts that I have, they don’t see what I see.”

In a separate speech today at the ICCS, Director of National Intelligence James Clapper said that the attack on Sony demonstrated a new type of threat posed by North Korea. During a meeting last year with a North Korean general to negotiate the release of two American prisoners in North Korea, Clapper said that the general told him the regime is "deadly serious" about perceived insults by the US to its "supreme leader" and that North Koreans feel that the US has put their country under siege.

While the Sony attackers had largely concealed their identity by using proxy servers, Comey said that on several occasions they "got sloppy" and connected directly, revealing their own IP address. It was those slip-ups, he said, that provided evidence linking North Korea to the attack on Sony's network. Comey also said that analysts at the FBI found the patterns of writing and other identifying data from the attack matched previous attacks attributed to North Korea. Additionally, there was other evidence, Comey said, that he could not share publicly.

Read 3 remaining paragraphs | Comments

South Korea says North Korea doubled size of its “cyber forces,” can nuke US

A report published by South Korea's Defense Ministry on December 6 estimates that North Korea has further increased its focus on network and electronic warfare over the last year, doubling the size of its "cyber forces" to 6,000 soldiers. The report also warned that North Korea has made significant advances in its nuclear weapons technology and could now have the capability of threatening the mainland of the United States with a nuclear strike.

The report, the ministry's 2014 Defense White Paper, is a biennial review of South Korea's defense policy similar to the US Department of Defense's Quadrennial Review, intended to define the government's defense policy. Defense Ministry officials stated in the report that North Korea's efforts in cyber-warfare and other "asymmetric" capabilities are part of an effort to cause "physical and psychological paralysis inside South Korea such as causing troubles for military operations and national infrastructures."

The Defense Ministry report also claimed that North Korea had made advances in miniaturization of nuclear warheads, which
would allow them to be mounted more readily on intercontinental ballistic missiles. "The ability to miniaturize nuclear weapons seems to be at an early but significant level and is estimated as having the ability to threaten the US mainland through a long-range missile," a Defense Ministry spokesperson said in a summary of the report. The assessment is based on estimates of North Korea's production of highly enriched uranium.

Read on Ars Technica | Comments